Merge pull request #1186 from sigstore/update-conformance

aaronlew02 · web-flow · commit f6934e57a2cb · 2026-05-06T14:16:23.000-04:00
Prioritize email over subject for SAN from OIDC token string
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -54,7 +54,7 @@ jobs:
           distribution: 'temurin'
 
       - name: Run Conformance Tests (production)
-        uses: sigstore/sigstore-conformance@9611941d54398f2e3f6383b6f744442a56d2fb2a # v0.0.26
+        uses: sigstore/sigstore-conformance@4d66ba3cb0c9c95f705c757c0f5e226d3f4d5151 # v0.0.27
         with:
           entrypoint: ${{ github.workspace }}/sigstore-cli/sigstore-cli-server
           environment: production
@@ -66,7 +66,7 @@ jobs:
             test_sign_verify_dsse
 
       - name: Run Conformance Tests (staging)
-        uses: sigstore/sigstore-conformance@9611941d54398f2e3f6383b6f744442a56d2fb2a # v0.0.26
+        uses: sigstore/sigstore-conformance@4d66ba3cb0c9c95f705c757c0f5e226d3f4d5151 # v0.0.27
         with:
           entrypoint: ${{ github.workspace }}/sigstore-cli/sigstore-cli-server
           environment: staging
diff --git a/sigstore-java/src/main/java/dev/sigstore/oidc/client/TokenStringOidcClient.java b/sigstore-java/src/main/java/dev/sigstore/oidc/client/TokenStringOidcClient.java
@@ -55,10 +55,26 @@ public OidcToken getIDToken(Map<String, String> env) throws OidcException {
     try {
       var idToken = idTokenProvider.getTokenString();
       var jws = JsonWebSignature.parse(new GsonFactory(), idToken);
+      String email = (String) jws.getPayload().get("email");
+      String san;
+      if (email != null) {
+        Boolean emailVerified = (Boolean) jws.getPayload().get("email_verified");
+        if (Boolean.FALSE.equals(emailVerified)) {
+          throw new OidcException(
+              String.format(
+                  java.util.Locale.ROOT,
+                  "identity provider '%s' reports email address '%s' has not been verified",
+                  jws.getPayload().getIssuer(),
+                  email));
+        }
+        san = email;
+      } else {
+        san = jws.getPayload().getSubject();
+      }
       return ImmutableOidcToken.builder()
           .idToken(idToken)
           .issuer(jws.getPayload().getIssuer())
-          .subjectAlternativeName(jws.getPayload().getSubject())
+          .subjectAlternativeName(san)
           .build();
     } catch (IOException e) {
       throw new OidcException("Failed to parse JWT", e);
